|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/11/27" |
| 3 | +integration = ["nginx", "apache", "apache_tomcat", "network_traffic"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/11/27" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying |
| 11 | +HTTP traffic that uses a different HTTP version than the one typically used in the environment. An |
| 12 | +HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, |
| 13 | +resulting in potentially less secure communication. For example, an attacker might downgrade a |
| 14 | +connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in |
| 15 | +the older protocol versions. |
| 16 | +""" |
| 17 | +from = "now-9m" |
| 18 | +index = [ |
| 19 | + "logs-network_traffic.http-*", |
| 20 | + "logs-network_traffic.tls-*", |
| 21 | + "logs-nginx.access-*", |
| 22 | + "logs-apache.access-*", |
| 23 | + "logs-apache_tomcat.access-*", |
| 24 | +] |
| 25 | +language = "kuery" |
| 26 | +license = "Elastic License v2" |
| 27 | +name = "Potential HTTP Downgrade Attack" |
| 28 | +risk_score = 21 |
| 29 | +rule_id = "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e" |
| 30 | +severity = "low" |
| 31 | +tags = [ |
| 32 | + "Domain: Web", |
| 33 | + "Use Case: Threat Detection", |
| 34 | + "Tactic: Defense Evasion", |
| 35 | + "Data Source: Network Packet Capture", |
| 36 | + "Data Source: Nginx", |
| 37 | + "Data Source: Apache", |
| 38 | + "Data Source: Apache Tomcat", |
| 39 | +] |
| 40 | +timestamp_override = "event.ingested" |
| 41 | +type = "new_terms" |
| 42 | +query = ''' |
| 43 | +http.version:* |
| 44 | +''' |
| 45 | + |
| 46 | +[[rule.threat]] |
| 47 | +framework = "MITRE ATT&CK" |
| 48 | + |
| 49 | +[[rule.threat.technique]] |
| 50 | +id = "T1562" |
| 51 | +name = "Impair Defenses" |
| 52 | +reference = "https://attack.mitre.org/techniques/T1562/" |
| 53 | + |
| 54 | +[[rule.threat.technique.subtechnique]] |
| 55 | +id = "T1562.010" |
| 56 | +name = "Downgrade Attack" |
| 57 | +reference = "https://attack.mitre.org/techniques/T1562/010/" |
| 58 | + |
| 59 | +[rule.threat.tactic] |
| 60 | +id = "TA0005" |
| 61 | +name = "Defense Evasion" |
| 62 | +reference = "https://attack.mitre.org/tactics/TA0005/" |
| 63 | + |
| 64 | +[rule.new_terms] |
| 65 | +field = "new_terms_fields" |
| 66 | +value = ["http.version", "agent.id"] |
| 67 | + |
| 68 | +[[rule.new_terms.history_window_start]] |
| 69 | +field = "history_window_start" |
| 70 | +value = "now-7d" |
0 commit comments